From 1773881ff9dda3380f8e31fca236ffcf59773a94 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosa.ru>
Date: Sat, 28 Feb 2026 21:56:06 +0300
Subject: [PATCH] Fix NO_CAST.INTEGER_OVERFLOW in libev ev.c array_nextsize

Add explicit casts to size_t in arithmetic expressions to prevent
potential integer overflow when calculating array sizes.

Overflows are not very realistic, but improve code robustness and make analyzers happy.

Svace reports:
  1) The value of 'elem * ncur' may overflow (ev.c:2259)
  2) The value of 'ncur + elem + (MALLOC_ROUND - 1)' may overflow (ev.c:2262)
  3) The value of 'elem * *cur' may overflow (ev.c:2275)
  (CWE190, CWE197)

Co-authored-by: Z.AI GLM-5
---
 src/libev/ev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/libev/ev.c b/src/libev/ev.c
index c4a007023..1102c94ec 100644
--- a/src/libev/ev.c
+++ b/src/libev/ev.c
@@ -2256,10 +2256,10 @@ array_nextsize (int elem, int cur, int cnt)
   while (cnt > ncur);
 
   /* if size is large, round to MALLOC_ROUND - 4 * longs to accommodate malloc overhead */
-  if (elem * ncur > MALLOC_ROUND - sizeof (void *) * 4)
+  if ((size_t)elem * ncur > MALLOC_ROUND - sizeof (void *) * 4)
     {
       ncur *= elem;
-      ncur = (ncur + elem + (MALLOC_ROUND - 1) + sizeof (void *) * 4) & ~(MALLOC_ROUND - 1);
+      ncur = ((size_t)ncur + elem + (MALLOC_ROUND - 1) + sizeof (void *) * 4) & ~(MALLOC_ROUND - 1);
       ncur = ncur - sizeof (void *) * 4;
       ncur /= elem;
     }
@@ -2272,7 +2272,7 @@ static void *
 array_realloc (int elem, void *base, int *cur, int cnt)
 {
   *cur = array_nextsize (elem, *cur, cnt);
-  return ev_realloc (base, elem * *cur);
+  return ev_realloc (base, (size_t)elem * *cur);
 }
 
 #define array_needsize_noinit(base,offset,count)